The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

6 May 2021

Overall rating

Your overall rating was amber.

  • 2: Yes
  • 5: No
  • 2: In part

RED: not in place

 

Do you have a record of what personal data you hold? Do you know what you use it for?

 

Suggested actions:

You should:

  • use our interactive tool to help you identify your lawful basis, if you need to, then
  • create a record, such as a spreadsheet, of the personal data you hold, what you do with it and your lawful basis for processing it.

Note: You don’t need to record every piece of personal data you hold, just the type of information. For example, recording ‘email addresses’, rather than a list of all the email addresses you hold.

Further reading

If you would like more detailed information on this part of the Checklist, please visit the links below:

Guide to the UK GDPR – Documentation

Guide to the UK GDPR – Lawfulness, fairness and transparency

Guide to the UK GDPR – Purpose limitation

Guide to the UK GDPR – Lawful basis

Do people know you have their personal data and understand how you use it?

 

Suggested actions:

If you don’t provide any privacy information currently, you must create a privacy notice that includes:       

  • the name of your business and the person responsible for data protection
  • why you hold the personal data (your lawful basis) and what you do with it
  • where you got the data from
  • who you share the data with and how you do this (including any sharing outside the UK)
  • how long you keep the data for
  • how people can request access to, or correction or deletion of, their data
  • how to complain to the ICO
  • whether you make automated decisions or do profiling based on the data you hold
  • whether you publish this information on any leaflets, posters or websites you use

If you do provide some privacy information but it doesn't include all of the above, you must update it. 

Further reading

If you would like more detailed information on this part of the Checklist, please visit the links below:

Our guidance on the right to be informed includes all the information that the UK GDPR requires.

Our Employment Practices Code contains more information about processing the personal data of your employees.

If you have CCTV, there may be further actions to take. Please see our CCTV Code of Practice.

If you process the personal data of children, you should read our Children’s guidance.

Here's a template you could use to help you create your privacy notice. Remember though, a layered approach is always best - try to inform people whenever you can and use different means to explain to people how you use their personal data.

Do you keep personal data accurate and up to date?

 

Suggested actions:

You should:

  • regularly check the information you hold to make sure it is still accurate and up to date (how regularly you check depends on what you are processing and why), then
  • make sure you can easily and quickly update any information you have.

Further reading

If you would like more detailed information on this part of the Checklist, please visit the links below:

Guide to the UK GDPR – Right to rectification

Do you have a way for people to exercise their rights regarding the personal data you hold about them?

 

Suggested actions:

You should:

  • ensure that all staff are aware of these rights
  • train your staff about what requests might come in from individuals and what to do if this happens, and
  • make sure you could act on the requests. For example, make sure your computer programs allow you to delete or amend information.

If you receive a request, you should respond within one month.

Further reading

If you would like more detailed information on this part of the Checklist, please visit the links below:

Your Data Matters

Guide to the UK GDPR – The right to be informed

Guide to the UK GDPR – The right of access

Guide to the UK GDPR – The right to rectification

Guide to the UK GDPR – The right to erasure

Guide to the UK GDPR – The right to restrict processing

Guide to the UK GDPR – The right to data portability

Guide to the UK GDPR – The right to object

Guide to the UK GDPR – Rights in relation to automated decision making and profiling

Do you know if you are obliged to pay a data protection fee?


Every business that processes personal information is required to pay a data protection fee to the ICO, unless they’re exempt. Not paying when you should may result in a fine of up to £4,000.

If you hold and process personal information (including names and addresses) on any electronic device, you may need to pay.

You can find out more here:

AMBER: partially in place

Do you keep personal data secure?

 

Suggested actions:

You should review (and improve, if necessary) your current security arrangements in your office or home working environment. Here are some ways you can do this:

  • Use computer passwords and don’t share them. If you think someone may know your password, change it.          
  • Lock or log off computers when you are away from your desk.
  • Dispose of confidential paper waste securely by shredding it.
  • Dispose of IT equipment securely and make sure there is no personal data left on any hard drives.
  • Take care when opening emails and attachments or visiting new websites in case of malicious links and malware.
  • Make sure paper copies of personal data are securely stored when not being used.
  • Make visitors sign in and out of the premises. Accompany them in areas normally restricted to staff.
  • Encrypt any mobile devices and only use secure wi-fi.
  • Encrypt personal data being taken out of the office, especially if it would cause damage or distress if lost or stolen.
  • Be aware of your surroundings when working outside the office, say in a cafe or on a train. Make sure people can’t inadvertently see any personal data you are working on.
  • Make sure you back up your data.
  • Limit access to personal data to those who really need it.
  • Minimise paper information taken out of the office.

Further reading

If you would like more detailed information on this part of the Checklist, please visit the links below:

Guide to the UK GDPR – Security

Deleting personal data

UK GDPR security outcomes

Encryption

Practical guide to IT security

Do you and your staff (if you have any) know your data protection responsibilities?

 

Suggested actions:

You should:

  • train all your staff handling personal data on their data protection responsibilities
  • use awareness to keep reminding your staff about keeping data safe and secure (ICO resources are available), and
  • make sure your staff know what to do if you have a breach or if something goes wrong.

Further reading

If you would like more detailed information on this part of the Checklist, please visit the links below:

Guide to the UK GDPR – Data protection officers

Guide to the UK GDPR – Accountability

Personal data breach guidance

Guide to the UK GDPR – Security

GREEN: in place

 

Do you only collect the personal data you need?

Do you only keep personal data for as long as it is needed?

 

Thank you for using the small business owners and sole traders checklist. Let us know what you think by completing our short survey.